Overview

overview

10

Static

static

3

c0d149a782...18.dll

windows7-x64

10

c0d149a782...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 13:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c0d149a7828c3ad6046da2d897bcff0c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    c0d149a7828c3ad6046da2d897bcff0c

  • SHA1

    82d8d681d93dee030b6796d4889bb74644ba06f6

  • SHA256

    cafb7841867fc7b1dd7bcb1c1da6f81f63750dd16831423ac54e2fcc9d22874a

  • SHA512

    9aa8fc98cd9ca22e8479a19790249df9a9f032884baa92bbacfb99e7f9f18c6718763dbefeb3c348ee9ba50bfe1cf8ee78952eab830353be65ec682bafa15abe

  • SSDEEP

    98304:+DqPoO1aRxcSUDk36SAEdhvxWa9P593R:+DqPj1Cxcxk3ZAEUadzR

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3191) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0d149a7828c3ad6046da2d897bcff0c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0d149a7828c3ad6046da2d897bcff0c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2972
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2868
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2788

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\mssecsvc.exe
          Filesize

          3.6MB

          MD5

          2cb069c56956bb9b6e62d393758d61a7

          SHA1

          220f4451f7ec2de03b482ddcf28c6ecda3e5366f

          SHA256

          0791f5ae5cbeec298082736457292521b23874ae0e77506c4ea12e65e3d2e52f

          SHA512

          13f47349f24593b4a0eb3094e816cf5c4bc826dc9a08c0ec9f5a4a55a17412b59fc6cfb2dcadbe1222c35e6d991e05605bf7db98b53557a2c128e831171babf3

          Download Submit

        • C:\Windows\tasksche.exe
          Filesize

          3.4MB

          MD5

          d59d6d48c3d6e9292c296e557a186391

          SHA1

          7f0916d7befcf929521087cde11b6d94d7331154

          SHA256

          905ad8e2fc1f98ab1e934de1d01d85973291ccadd41c85ba1a7dcc3b2af6ed96

          SHA512

          7b2fc97070ac47e6596cfe0da96b1b1369feeb4ab62af136f172ee306187cee3e04b68b8f786d7b4b4dee49054d53a33cd8048abdc8cba9853b3e119a08ac23e

          Download Submit